Cybersecurity Threat Hunting

Cybersecurity Threat Hunting

“The earlier the better, but not too late and never ignore.”

  1. Overview

Cyber threats represent significant commercial and operational risk, yet many organizations do not know what threats they face, what their most critical cyber assets are, or who and what they are defending against.

Threat hunting is the human-driven, proactive and iterative search through networks, endpoints, or datasets in order to detect malicious, suspicious, or risky activities that have evaded detection by existing automated tools. Threat hunts provide a proactive opportunity for an organization to uncover attacker presence in an environment. Threat hunting is the proactive, analyst-driven process to search for attacker tactics, techniques, and procedures (TTP) within an environment.

  1. Approach

Seven Step Consulting’s Threat Hunting deployment involves

Seven Step Consulting’s Threat Hunting Service is composed of

a) Realtime intelligence gathering and analysis.

The goal is to obtain a snapshot in time of your attack surface – the cybercriminal and cyber-espionage threats and attacks potentially or actively targeting your assets. We’ll be tapping into internal and external intelligence sources, including underground fraudster communities. Analysing this intelligence allows us to identify, for example, weaknesses in your infrastructure of current interest to cybercriminals, or compromised accounts.

b) Onsite data collection and early incident response.

Alongside threat intelligence activity conducted by our experts who will be on site collecting network and system artefacts, together with any SIEM information available. We may also conduct a brief vulnerability assessment to reveal the most critical security flaws for immediate action.

If an incident has already taken place, we’ll be collecting evidence for investigation.

At this stage, we ‘ll provide you with our interim recommendations for short-term remediation steps.

c) Data analysis.

The network and system artefacts collected will be analysed using the knowledge base of IoCs, C&C blacklists, sandboxing technology etc. to understand exactly what’s been happening in your system. If, for example, new malware is identified at this stage, we’ll give you advice and the tools (i.e., YARA rules) to detect it right away. We’ll be keeping in close touch with you throughout, working remotely with your systems if appropriate.

d) Report preparation.

Finally, we’ll prepare our formal report with targeted attack discovery results and our recommendations for further remediation activity.

Seven Step Consulting’s Threat Hunting Four Primary Threat Hunting Techniques

1. Searching
a. Query data for specific results or artifacts
2. Clustering
a. Clustering is a statistical technique, often carried out with machine learning
b. Dealing with a large group of data points that do not explicitly share immediate obvious behavioral characteristics.
3. Grouping
a. Grouping consists of taking a set of multiple unique artifacts and identifying when multiple of them appear together based on specific criteria.
4. Stack Counting
i. Stacking involves counting the number of occurrences for values of a particular type

  1. Benefits

Threat hunting tells you who is already in your environment and what they’re up to. It deals with the actual state of the environment and shows what threats are targeting the company. Threat hunting offers many benefits, including:

  • Reduction in breaches and breach attempts;
  • A smaller attack surface with fewer attack vectors;
  • Increase in the speed and accuracy of a response; and.
  • Measurable improvements in the security of your environment
  1. Deliverables

Our findings are delivered in a detailed report covering:

  • Our overall discoveries – confirmation of the presence or absence of compromise signs in your network
  • In-depth analysis – of threat intelligence data gathered and of the Indicators of Compromise (IoCs) revealed.
  • Detailed descriptions – of vulnerabilities exploited, possible attack sources, and the network components affected.
  • Remediation recommendations – suggested steps to mitigate consequences of the incident revealed and to protect your resources from similar attacks in future. Threat Modeling and Threat Hunting is available in an annual package with quarterly exercises.

Additional services

  • You can also ask our experts to analyze the symptoms of an incident, perform deep digital analysis for certain systems, identify a malware binary (if any) and conduct malware analysis. These optional services report separately, with further remediation recommendations.